The Hacker News — Cyber Security, Hacking, Technology News

Since most of us rely upon the Internet for day-to-day activities, hacking and spying have become a prime concern today, and so have online security and privacy.

The governments across the world have been found to be conducting mass surveillance and then there are hackers and cybercriminals who are always looking for ways to steal your sensitive and personal data from the ill-equipped networks, websites, and PCs.

Even most online services and websites today collect your personal data, including search histories, location data, and buying habits, and makes millions by sharing them with advertisers and marketers.

In short, we have no or very little online privacy.

This is why schools, colleges, hospitals and other small and big businesses are moving towards adopting a solution that allows them to store and access their personal data securely. The solution: Virtual Private Network.

The VPNSecure Lifetime Subscription is available for just $39 at THN Deals Store— isn't this excellent deal, a one-time flat fee for a lifetime VPN subscription.

3. Windscribe VPN: Lifetime Pro Subscription (92%OFF)

Windscribe VPN is a combination of VPN and Browser-Based Privacy Suite, which not only encrypts your Internet activity and protect you from prying eyes but also keep you protected from being tracked by online sites you visit.

Windscribe VPN is the easiest to use and powerful VPN client you will ever use. No need to configure anything, just install and forget about it.

The VPN also includes a Firewall that disables all Internet connectivity, preventing IP leak in case of a disconnect.

A security researcher has found four vulnerabilities, including a critical remote code execution bug, in OpenVPN, those were not even caught in the two big security audits of the open source VPN software this year.

OpenVPN is one of the most popular and widely used open source VPN software solutions mostly used for various connectivity needs, but it is especially popular for anonymous and private access to the Internet.

This year, two independent security audits of OpenVPN were carried out to look for flaws, backdoors, and other defects in the open source software – one conducted by a team led by Johns Hopkins University crypto-boffin Dr. Matthew D. Green.

The audits resulted in a patch of a few vulnerabilities in the widely used open source software, giving OpenVPN a clean chit.

Researcher Used Fuzzer to find Bugs in OpenVPN

Researcher Guido Vranken of Netherlands exclusively used a fuzzer and recently discovered four security holes in OpenVPN that escaped both the security audits.

Three of the four flaws the researcher discovered are server-side, two of which cause servers to crash, while the remaining is a client-side bug that could allow an attacker to steal a password to gain access to the proxy.

The most critical vulnerability of all is CVE-2017-7521, which affects OpenVPN server-side and resides in extract_x509_extension() function which deals with SSL certificates.

The vulnerability could allow a remote authenticated attacker to craft and send a certificate that either crashes the OpenVPN service or triggers a double free that potentially lead to remote code execution within the server.

Vranken was not able to demonstrate the RCE bug but argued that the remote code execution could be achieved in theory. In a report published Wednesday, he had explained how one could achieve a remote memory leak because of the service's failure to check a particular return value.

"If you look in the OpenSSL source code, one way through which ASN1_STRING_to_UTF8 can fail is if it cannot allocate sufficient memory," Vranken said in his report. "So the fact that an attacker can trigger a double-free IF the server has insufficient memory, combined with the fact that the attacker can arbitrarily drain the server of memory, makes it plausible that a remote double-free can be achieved."

"But if a double-free is inadequate to achieve remote code execution, there are probably other functions, whose behavior is wildly different under memory duress, that you can exploit."

The second vulnerability, CVE-2017-7520, resides in the way OpenVPN connects to a Windows NTLM version 2 proxy.

A man-in-the-middle attacker between the OpenVPN client and the proxy server can either remotely crash the client or steal the user's password to the proxy from a memory leak.

The vulnerability could be triggered only under certain circumstances, like when the client connects to a proxy through NTLM version 2 authentication, or when the client specifies a username ending with a backslash.

"If clients use a HTTP proxy with NTLM authentication (--http-proxy [|'auto'|'auto-nct'] ntlm2), a man-in-the-middle [MITM] attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory," the OpenVPN team explains.

"The disclosed stack memory is likely to contain the proxy password. If the proxy password is not reused, this is unlikely to compromise the security of the OpenVPN tunnel itself. Clients who do not use the --http-proxy option with ntlm2 authentication are not affected."

Other two vulnerabilities (CVE-2017-7508 and CVE-2017-7522) are remote server crashes which could trigger by sending maliciously-crafted IPv6 packets or malicious data post-authentication.

Patches for Servers and Clients Already Available

Vranken responsibly disclosed all the vulnerabilities he discovered to the OpenVPN team in May and June and the team has already patched the issues in its latest version of the VPN software.

While there is no proof of any of the vulnerabilities had been publicly exploited, users are strongly advised to update their installations to OpenVPN versions 2.4.3 or 2.3.17 as soon as possible in order to be on the safer side.

For more in-depth technical details of all the vulnerabilities, you can head on to the report titled, "The OpenVPN Post-Audit Bug Bonanza," published by Vranken on Wednesday.

Data Privacy is a serious concern today with the vast availability of personal data over the Internet – a digital universe where websites collect your personal information and sell them to advertisers for dollars, and where hackers can easily steal your data from the ill-equipped.

If this wasn't enough, US Senate voted last week to eliminate privacy rules that would have forced ISPs to get your permission before selling your Web browsing history and app usage history to advertisers.

If passed, ISPs like Verizon, Comcast, and AT&T, can collect and sell data on what you buy, where you browse, and what you search, to advertisers all without taking your consent in order to earn more bucks.

How to Prevent ISPs And Hackers From Spying On You

So, how do you keep your data away from advertisers as well as hackers?

Private Browsing!

If you're worried about identity thieves or ISPs spying on or throttling your traffic, the most efficient way to secure your privacy on the Internet is to avoid mucking around in public networks; use a VPN instead.

But what is a VPN and how does the service enhance privacy and security?

VPN – stands for Virtual Private Network – is a secure tunnel between your computer and destinations you visit on the internet. Your computer connects to a VPN server, which can be located anywhere in the world, and your web traffic then passes back-&-forth through that server.

The Result: You are browsing from that server's geo-location, not your computer's location. So your identity remains anonymous.

To ensure the privacy of your data, VPN encrypts your data. Some VPNs use SSL (Secure Sockets Layer) for encryption, while others might use IPSec or PPTP to keep your information encrypted from prying eyes.

Isn't it the great reason to use a VPN? Of course, Yes.

Since there are so many services to choose from, THN Deals Store brings you some excellent and secure VPN services at highly discounted prices with lifetime subscription, so it cannot get heavy in your pockets.

If you're searching for an affordable and reliable VPN service without any bandwidth limits, VPNSecure is a good pick.

This premium service is compatible with all operating systems — from Windows and Mac OS X to iOS and Linux — easy to use, offers lightning-fast connection and provides ultimate safeguards against ISPs and hackers.

With strict no-log record policy, VPNSecure has many servers located in over 41 countries and counting.

The VPNSecure Lifetime Subscription is available for $39 at THN Deals Store, which usually costs $450 — isn't this an excellent deal, a one-time flat fee for a lifetime VPN subscription.

This sale is set to expire in the next few days, though, so get your order in now.

If you are looking for an ad-free, completely secure Internet experience, you can not get better than OneVPN.

OneVPN works double duty — cleaning up your browsing while also making sure you remain anonymous from hackers, ISPs and government who may be monitoring your web activity.

Unlike other VPN services, OneVPN lets you maintain a high speed while surfing the web with 60 servers based in 21 countries across the globe, so no matter where you travel to, you will be covered.

The OneVPN: Lifetime Subscription is available for just $49.99 and 2-Year Subscription for just $19.99 at THN Deals Store, which usually costs $477 and $238 respectively — which is a pretty amazing price.